From nobody Fri Oct 3 05:27:33 2025 Received: from plesk.hostmyservers.fr (plesk.hostmyservers.fr [45.145.164.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9AC56307AF9; Thu, 4 Sep 2025 14:11:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.145.164.37 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756995088; cv=none; b=U5xXYMBbUNXv05UhwGvhsttz9ljOwJH0dZyLIgACrp9KDDM1sim3Hi6+yNgHFqAddGpBPS/wu+B3s4gL9mnqJcbkyFZPzRk0hST2AlKoaj1c0RL7SRQMJ1H6fT6s5pfeNDa6gKIm5gNetO8ITyVwtoc9FRtAspQFAu1ii0rpY5Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756995088; c=relaxed/simple; bh=fzCPTNn8nu0FtclJsY7lvQPxusay7GTZ07NEl3wxy08=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KU+6Pzfsp8Xx++cS7ucySwlAKYDOYSYZ0AF/Iz+j+IJ5lmL329N0sNrmc8BjkiU00e09jmg8nAen/l7oFvIvTqb78ZDR0aPWl7KSGMtr+Rb6otjsysRcvGM886rNv3Kvq2e4X7O4QIUmVOJW6NigbHjqjcONzOtuuBEkYb5apNQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=arnaud-lcm.com; spf=pass smtp.mailfrom=arnaud-lcm.com; arc=none smtp.client-ip=45.145.164.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=arnaud-lcm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arnaud-lcm.com Received: from 7cf34ddaca59.ant.amazon.com (unknown [IPv6:2a01:e0a:3e8:c0d0:74c4:9b58:271e:cbdf]) by plesk.hostmyservers.fr (Postfix) with ESMTPSA id A16AF41E6B; Thu, 4 Sep 2025 14:11:17 +0000 (UTC) Authentication-Results: Plesk; spf=pass (sender IP is 2a01:e0a:3e8:c0d0:74c4:9b58:271e:cbdf) smtp.mailfrom=contact@arnaud-lcm.com smtp.helo=7cf34ddaca59.ant.amazon.com Received-SPF: pass (Plesk: connection is authenticated) From: Arnaud Lecomte To: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: syztest Date: Thu, 4 Sep 2025 16:11:13 +0200 Message-Id: <20250904141113.40660-1-contact@arnaud-lcm.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <6887e3c8.a00a0220.b12ec.00ad.GAE@google.com> References: <6887e3c8.a00a0220.b12ec.00ad.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-PPP-Message-ID: <175699507802.11890.12523896466965428946@Plesk> X-PPP-Vhost: arnaud-lcm.com Content-Type: text/plain; charset="utf-8" #syz test diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c index 3615c06b7dfa..1389712bc1df 100644 --- a/kernel/bpf/stackmap.c +++ b/kernel/bpf/stackmap.c @@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *ma= p) sizeof(struct bpf_stack_build_id) : sizeof(u64); } =20 +/** + * stack_map_calculate_max_depth - Calculate maximum allowed stack trace d= epth + * @size: Size of the buffer/map value in bytes + * @elem_size: Size of each stack trace element + * @flags: BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, = ...) + * + * Return: Maximum number of stack trace entries that can be safely stored + */ +static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flag= s) +{ + u32 skip =3D flags & BPF_F_SKIP_FIELD_MASK; + u32 max_depth; + u32 curr_sysctl_max_stack =3D READ_ONCE(sysctl_perf_event_max_stack); + + max_depth =3D size / elem_size; + max_depth +=3D skip; + if (max_depth > curr_sysctl_max_stack) + return curr_sysctl_max_stack; + + return max_depth; +} + static int prealloc_elems_and_freelist(struct bpf_stack_map *smap) { u64 elem_size =3D sizeof(struct stack_map_bucket) + @@ -300,22 +322,20 @@ static long __bpf_get_stackid(struct bpf_map *map, BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map, u64, flags) { - u32 max_depth =3D map->value_size / stack_map_data_size(map); - u32 skip =3D flags & BPF_F_SKIP_FIELD_MASK; + u32 elem_size =3D stack_map_data_size(map); bool user =3D flags & BPF_F_USER_STACK; struct perf_callchain_entry *trace; bool kernel =3D !user; + u32 max_depth; =20 if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK | BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID))) return -EINVAL; =20 - max_depth +=3D skip; - if (max_depth > sysctl_perf_event_max_stack) - max_depth =3D sysctl_perf_event_max_stack; - + max_depth =3D stack_map_calculate_max_depth(map->value_size, elem_size, f= lags); trace =3D get_perf_callchain(regs, 0, kernel, user, max_depth, false, false); + trace->nr =3D min_t(u32, trace->nr, max_depth); =20 if (unlikely(!trace)) /* couldn't fetch the stack trace */ @@ -350,6 +370,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_da= ta_kern *, ctx, { struct perf_event *event =3D ctx->event; struct perf_callchain_entry *trace; + u32 elem_size, max_depth; bool kernel, user; __u64 nr_kernel; int ret; @@ -371,11 +392,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_= data_kern *, ctx, return -EFAULT; =20 nr_kernel =3D count_kernel_ip(trace); + elem_size =3D stack_map_data_size(map); =20 if (kernel) { __u64 nr =3D trace->nr; =20 trace->nr =3D nr_kernel; + max_depth =3D + stack_map_calculate_max_depth(map->value_size, elem_size, flags); + trace->nr =3D min_t(u32, nr_kernel, max_depth); ret =3D __bpf_get_stackid(map, trace, flags); =20 /* restore nr */ @@ -388,6 +413,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_da= ta_kern *, ctx, return -EFAULT; =20 flags =3D (flags & ~BPF_F_SKIP_FIELD_MASK) | skip; + max_depth =3D + stack_map_calculate_max_depth(map->value_size, elem_size, flags); + trace->nr =3D min_t(u32, trace->nr, max_depth); ret =3D __bpf_get_stackid(map, trace, flags); } return ret; @@ -406,8 +434,8 @@ static long __bpf_get_stack(struct pt_regs *regs, struc= t task_struct *task, struct perf_callchain_entry *trace_in, void *buf, u32 size, u64 flags, bool may_fault) { - u32 trace_nr, copy_len, elem_size, num_elem, max_depth; bool user_build_id =3D flags & BPF_F_USER_BUILD_ID; + u32 trace_nr, copy_len, elem_size, max_depth; bool crosstask =3D task && task !=3D current; u32 skip =3D flags & BPF_F_SKIP_FIELD_MASK; bool user =3D flags & BPF_F_USER_STACK; @@ -438,21 +466,20 @@ static long __bpf_get_stack(struct pt_regs *regs, str= uct task_struct *task, goto clear; } =20 - num_elem =3D size / elem_size; - max_depth =3D num_elem + skip; - if (sysctl_perf_event_max_stack < max_depth) - max_depth =3D sysctl_perf_event_max_stack; + max_depth =3D stack_map_calculate_max_depth(size, elem_size, flags); =20 if (may_fault) rcu_read_lock(); /* need RCU for perf's callchain below */ =20 - if (trace_in) + if (trace_in) { trace =3D trace_in; - else if (kernel && task) + trace->nr =3D min_t(u32, trace->nr, max_depth); + } else if (kernel && task) { trace =3D get_callchain_entry_for_task(task, max_depth); - else + } else { trace =3D get_perf_callchain(regs, 0, kernel, user, max_depth, crosstask, false); + } =20 if (unlikely(!trace) || trace->nr < skip) { if (may_fault) @@ -461,7 +488,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struc= t task_struct *task, } =20 trace_nr =3D trace->nr - skip; - trace_nr =3D (trace_nr <=3D num_elem) ? trace_nr : num_elem; copy_len =3D trace_nr * elem_size; =20 ips =3D trace->ip + skip; --=20 2.47.3